I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

satisfied by the answers.

On Monday, the credit bureau admitted that an additional 2.5 million Americans may have been affected in the Equifax breach, bringing the current estimate of affected citizens to 145.5 million. On Tuesday, Richard Smith, the former CEO of Equifax, testified in congressional hearings regarding the Equifax breach impact.

Smith began by taking responsibility for the breach, saying in a written statement that he "was ultimately responsible for what happened on [his] watch."

"To each and every person affected by this breach, I am deeply sorry that this occurred. Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize," Smith wrote in his prepared testimony. "The company failed to prevent sensitive information from falling into the hands of wrongdoers. The people affected by this are not numbers in a database. They are my friends, my family, members of my church, the members of my community, my neighbors. This breach has impacted all of them. It has impacted all of us."

Smith went on to detail the timeline of events leading up to the Equifax breach. He said Equifax received an alert from US-CERT on March 8, 2017 regarding the Apache Struts vulnerability that needed to be patched and the company shared that message internally on March 9. However, the software was not patched.

It appears Smith was completely out of his league when it comes to asking the right questions around cyber risk and breach.
Ben JohnsonCTO, Obsidian Security

Smith claimed the Equifax security team ran vulnerability scans on March 15 "that should have identified any systems that were vulnerable to the Apache Struts issue," but the scans failed to identify the systems needing patching. Although by then, it was too late as Smith said the initial attack accessing data occurred on March 13.

The Equifax breach was not detected by IT teams until July 30 and Smith said he was told about the incident on July 31. The investigation into the Equifax breach impact began Aug. 2, but Smith said he was not made aware that personally identifiable information (PII) had been stolen until Aug. 15. The board was notified on Aug. 22 and the breach was finally made public on Sept. 7.

"A substantial complication was that the information stolen from Equifax had been stored in various data tables, so tracing the records back to individual consumers, given the volume of records involved, was extremely time consuming and difficult. To facilitate the forensic effort, I approved the use by the investigative team of additional computer resources that significantly reduced the time to analyze the data," Smith wrote in the statement. "By September 4, the investigative team had created a list of approximately 143 million consumers whose personal information we believed had been stolen."

Equifax breach timeline

Ben Johnson, CTO of Obsidian Security, said that timelines, like those detailing the Equifax breach impact, can be tricky, but he questioned Smith's readiness for such an attack.

"If you race to disclosure, you'll likely be wildly off in stating the impact. If you take too long, then there's the question of why couldn't you have disclosed this sooner to help the affected parties," Johnson told SearchSecurity. "The most striking aspect here is the lack of daily updates as soon as the investigation started -- that shows lack of respect for adversary abilities and very little concern for the sensitivity of the data. It appears Smith was completely out of his league when it comes to asking the right questions around cyber risk and breach."

Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers, said the timeline was plausible, but found it odd that there was a two-day delay between Smith learning of the breach and the investigation beginning.

"This is a lapse in judgment," Rembiesa told SearchSecurity. "Should proper industry best practices have been followed, the CEO would have been informed and the investigation would have been launched on July 30, saving an untold amount of consumer data because the breach would have been closed sooner."

Equifax breach impact response

Gary Golomb, co-founder at Awake Security, took issue with Smith's claim that Equifax policy is to patch a vulnerability in two days.

"This may have been the policy, but it's not grounded in the reality of what it takes to patch a vulnerability. It is nearly physically impossible to patch a vulnerability, test it in an environment to make sure things are working and update and get it ready for public use," Golomb told SearchSecurity. "It's not like you drop a file and it's done. In this case, it would require a recompiling of code and redeployment. No realistic DevOps or security team would expect this to be rebuilt in a few days."

Experts also noted a number of issues with Equifax relying on vulnerability scans to find issues. Johnson and others said it was very possible that the scanner might not have been updated properly.

Sanjay Raja, CMO at Lumeta, noted the failure of the vulnerability scan could have also been a visibility problem.

"Vulnerability scanners do not discover or identify all of your infrastructure," Raja told SearchSecurity. "That means even if scans were run successfully, in our research, on average 40% of servers and systems are not scanned because they are not part of the asset list."

Billy Sokol, global CTO of public sector at MarkLogic Corporation, said the vulnerability scan was "almost irrelevant" in regard to the Equifax breach impact.

"If they had updated the Struts capability, that could have helped, but there wouldn't have been [more than] 140 million affected if the database was secure, if the data was encrypted, if there was no super user and more granularity security around data," Sokol told SearchSecurity. "If you require that everything work perfectly in order for your data to be protected, you're asking for a breach. Not everything works perfectly all the time and people do make mistakes. Your data needs to be protected even when hackers get in."

Nicholas Hayden, director of engineering at Anomali, said it was time to shift the focus from the Equifax breach impact and cause to "what lawmakers are going to do to fix the issue."

"The punishment doesn't match the crime when it comes to data breaches," Hayden told SearchSecurity. "A company that fails to be good stewards of the critical and vital information they are entrusted with should not be allowed to continue the practice."

Join the conversation

4 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

Something about this story doesn't make sense. Why would they run a vulscan if they knew there was a specific vulnerability in a specific app? They were briefed on a known vulnerability in Apache Struts. The app should have been patched or taken off-line until a patch was available and the app patched. If the app was critical and they had to leave it online unpatched, it should have been monitored constantly for hacks. This is a serious failure of their IT team and something here is very fishy. I'm very interested in the details here because I work as an ISO 27001 consultant and the Equifax breach is an ISMS failure. I would like to know what others think and if there is more detail. It really doesn't sound like a vulscan issue. This was a patch issue and I was under the impression that the patch was available but had not been applied. When was the patch available? Was it after the March 13 hack? What date was it applied?What were they briefed about? Were they told that there was a vulnerability in Apache Struts or something more general?

I'm replying to my own comment because I reread the article. The comment about encryption is very apt and is an ISMS issue as well. Was the data encrypted at rest? Why was it not encrypted at rest? How mature is Equifax's ISO 27001 registration, because an auditor should at least have put in an OFI for encryption at rest at some point. What was their reason for not having encryption at rest?

"received alert March 8.. shared internally March 9 ... detected July 30 .. told ... July 31... investigation began Aug 2. ... not made aware until Aug 15.... board notified Aug 22 ...made public Sept 7. "the CEO would have been informed and the investigation would have been launched ...two-day delay between Smith learning of the breach and the investigation beginning...I approved additional computer
resources that reduced the time to analyze"
Smith wrote

Why wasn't the IT team on the list to receive the initial alert? Why not designate specific skilled IT people in advance with the power and responsibility to do what obviously needs to be done? What are the odds the specific designated IT person is more conscientious, not to mention more qualified than the executives, to make the best decision in the best time? It that IT person can't be trusted, why is he there?

Can any bureaucratic process, any concentration of power at the top be justified?